-
漏洞描述

XMB Forum contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the restrict variable in the member.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

-
时间线

公开日期:
2004-03-26

发现日期:
Unknow

利用日期:2004-03-26

解决日期:Unknow

-
解决方案

Upgrade to version 1.9.1 Final or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

-
漏洞作者

-
漏洞信息

漏洞作者:
Discovery of these issues is credited to Janek Vind <come2waraxe@yahoo.com>.

-
受影响的程序版本

XMB Forum 1.9 beta
XMB Forum 1.8 SP3
XMB Forum 1.9.10

-
不受影响的程序版本

XMB Forum 1.9.10

-
漏洞讨论

Multiple vulnerabilities have been reported in XMB Forum. The specific issues include an information-disclosure issue and multiple cross-site scripting and SQL-injection issues.

Attackers can exploit these issues to steal cookie-based authentication credentials, modify SQL query logic and structure, and obtain sensitive information about the underlying environment. Cumulatively, these issues could allow remote attackers to hijack accounts, compromise the forum, mount attacks on the database, and launch further attacks against system resources.

Note that these issues appear to have been introduced across different versions of the software.